General discussion


How do you monitor for unauthorized access into your servers?

By Neon Samurai ·
I thought this would be an interesting topic while I do my own reading on the side.

For the system admins, how do you watch for unauthorized access? Failed passwords are pretty obvious; grep the log for "denied" and start validating what comes up. Do you have a trick for spotting such access where Eve has come in with a valid but "borrowed" account?

Off the top of my head, I'm thinking a daily check of logins compared to valid work times This would limit the blind spot to Eve knowing the staffer's regular work times. Now we have to check for connection source along with times. The blind spot is now Eve having the staffer's regular work schedule and location by spoofing or physical visit.

For my part, I've been given the task of writing up the company's process outline for this very thing and thought it may be a beneficial discussion for the other sys admins also.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Monitoring & Reporting

by davidt In reply to How do you monitor for un ...

I use SBS 2003's daily Monitoring and Reporting, and then dig deeper into the logs if there is anything that stands out.

Collapse -

Linux servers?

by pgit In reply to How do you monitor for un ...

If you can identify "Eve's" IP, iptstate could be helpful. Ive used it to write up quick iptables rules to block some kiddie trying to hack whatever server. Haven't been able to automate the process, though.

Collapse -

That could work well

by Neon Samurai In reply to Linux servers?

I've seen port 22 monitors that watch for failed attempts and blacklist in response. Only the few ports that have to be world accessible on specific machines are outside the strict firewall rules but it could be something to consider on all higher risk ports.

I need to find some deeper stuff too like how to detect someone digging around the system. They've got in, now how to do I detect them mucking in my databases.

Collapse -


by dwdino In reply to How do you monitor for un ...

I don't approve of unauthorized access.

It has never occured using this method.

Collapse -

and, when it does happen

by Neon Samurai In reply to Simple

Well yes, the idea is to not approve of unauthorized access naturally. Unless you have all services shutdown and all ports blocked, how do you confirm that this approach is working on a system which has to be accessed by multiple authorized users?

Is there a specific approach, software or hardware mechanism you have in place to insure only authorized access and report unauthorized attempts? Can you detect access through a valid user account if used by an unauthorized person?

This is about where I'm at now. I have lots of stuff in place from config auditing and improvement through to log tracking. I'm curious as to what more I can do or how others maintain a publicly accessible system.

Collapse -


by dwdino In reply to and, when it does happen

I was being aloof.

We enable full auditing on our servers. All connection attempts - pass or fail, and all logins are logged.

Our monitoring system then audits these logs for Error or Failed entries. If more than a few are found close together and alert is thrown.

Also, we implement lowest required permissions. There are no publicly available resources. All resources require membership to a group or direct ACL.

Collapse -


by Saurondor In reply to How do you monitor for un ...

Among other things it...

# Daemon process that checks for login authentication failures for:

* Courier imap, Dovecot, uw-imap, Kerio
* openSSH
* cPanel, WHM, Webmail (cPanel servers only)
* Pure-pftd, vsftpd, Proftpd
* Password protected web pages (htpasswd)
* Mod_security failures (v1 and v2)
* Suhosin failures
* Custom login failures with separate log file and regular expression matching

# POP3/IMAP login tracking to enforce logins per hour
# SSH login notification
# SU login notification

Collapse -

Interesting, this one will take some reading

by Neon Samurai In reply to CSF

As a given on Debian, the IDS and such installed through the harden packages are in place but this looks like it does some nice reporting and I'm always looking for things that will confirm my config or suggest improvements.

Bastille and Lynis are good for that as starting points.

Collapse -

Is there any free or paid solutions

by sal7 In reply to How do you monitor for un ...

Hello all ,
am asking if there are any free or non free solution (software ) for monitoring issues ...please give some specific details about this subject ....


Collapse -

What OS platform and what are you monitoring?

by Neon Samurai In reply to Is there any free or paid ...

It depends on the OS platform your using and what you are watching for.

With Debian, read the Securing Debian documentation. Also install the following packaged:

aptitude install \
harden harden-clients harden-nids harden-servers tiger john checksecurity \
chkrootkit rkhunter bastille psad tripwire \

I then manually toss Lynis in my working folder.

The Harden packages provide a number of tools for the system. harden-nids is concerned with network intrution specifically.

Tripwire reports on file system changes.

PSAD and Snort report on network traffic hitting the machine.

Bastille helps with secure config changes. Lynis further reviews the config and recommends further changes.

Tiger checks the server for security issues and changes.

Rkhunter and Chkrootkit scan for evidence of that particular type of malware activity.

harden-servers and harden-clients intentionally conflict with low security server and client software like telnet deamon or the telnet client avoiding the chance of such servers/clients being installed later.

Further steps would be putting a box in-between the server and the outside network as a transparent IDS/IPS analyzing all traffic.

Where I'm at now is detecting activity within services inside all that then validating that activity. I'm pretty sure all this keeps most things out but I want to be sure that what does get in is valid.

Related Discussions

Related Forums